59
Chapter 9 - Configuring Firewall/NAT Settings
ASUS SL1200
packet inspection engine. Otherwise, the packet will be dropped. This “hole”
will be closed when the connection session terminates. No configuration
is required for stateful packet inspection. It is enabled by default when the
firewall is enabled. Refer to section
11.1 Configure System Services
to
enable or disable firewall service on the router.
9.1.2 Denial of Service (DoS) Protection
Both DoS protection and stateful packet inspection provide the first line of
defense for your network. No configuration is required for both protections
on your network as long as firewall is enabled for the router. By default, the
firewall is enabled in the router. Refer to section
11.1 Configure System
Services to enable or disable firewall service on the router.
9.1.3 Firewall and Access Control List (ACL)
9.1.3.1 Priority Order of ACL Rule
All ACL rules have a rule ID assigned – the smaller the rule ID, the higher
the priority. A firewall monitors the traffic by extracting header information
from the packet and then either drops or forwards the packet by looking for
a match in the ACL rule table based on the header information. The ACL
rule checking starts from the rule with the smallest rule ID until a match is
found or all the ACL rules are examined. If no match is found, the packet
is dropped. Otherwise, the packet is either dropped or forwarded based on
the action defined in the matched ACL rule.
9.1.3.2 Tracking Connection State
The stateful inspection engine in the firewall keeps track of the state, or
progress, of a network connection. By storing information about each
connection in a state table, the router is able to quickly determine if a
packet passing through the firewall belongs to an already established
connection. If it does, it is passed through the firewall without going
through ACL rule evaluation.
For example, an ACL rule allows outbound ICMP packet from 192.168.1.1
to 192.168.2.1. When 192.168.1.1 send an ICMP echo request (such as
a ping packet) to 192.168.2.1, 192.168.2.1 will send an ICMP echo reply
to 192.168.1.1. In the router, you do not need to create another inbound
ACL rule because stateful packet inspection engine will remember the
connection state and allows the ICMP echo reply to pass through the
firewall.